Project

General

Profile

Actions

Bug #23178

closed

Wrong HTTP headers sent when trying to access pages that require login

Added by Ingo Renner over 14 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Site Handling, Site Sets & Routing
Target version:
-
Start date:
2010-07-14
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.4
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
No
Sprint Focus:
On Location Sprint

Description

When trying to access a login protected page while not being logged in it may happen that a wrong header is sent.
The install tool allows to set a header for the page not found handling: [FE][pageNotFound_handling_statheader]
The default value for this setting is "HTTP/1.0 404 Not Found"
In a case where access is denied because the user is not logged in, this is the wrong header of course, it should be 401 instead.

Proposed solution: In case where access is denied because of missing privileges, TYPO3 should ignore the mentioned setting and send a 401 instead.

(issue imported from #M15114)


Files

15114.diff (957 Bytes) 15114.diff Administrator Admin, 2010-07-15 15:57

Related issues 4 (0 open4 closed)

Related to TYPO3 Core - Bug #16472: Non accessible Page And PageNotFound Handler.ClosedAlexander Opitz2006-08-15

Actions
Related to TYPO3 Core - Bug #58728: Regression: unaccessible protected section with shortcut in rootlineClosed2014-05-12

Actions
Related to TYPO3 Core - Bug #86346: Hidden pages sent 403 HeaderClosed2018-09-21

Actions
Has duplicate TYPO3 Core - Feature #51088: Improve Frontend error handlingClosed2013-08-15

Actions
Actions #1

Updated by Ingo Renner over 14 years ago

The solution for this issue may result in being able to remove the $TYPO3_CONF_VARS['FE']['pageNotFound_handling_statheader'] option if we are always sending the correct headers.

Need to check whether there are more places where this option is used...

Actions #2

Updated by Dmitry Dulepov over 14 years ago

TYPO3 treats such cases as "not found", not as "access denied". I am not sure why but it is historical (since 3.x I think). It makes sense from security point of view because "access denied" tells that something is there but "page not found" does not reveal that protected content exists. This is called "security by obscurity".

Actions #3

Updated by Hassan Ait about 14 years ago

Thanks Ingo, I've just tested your fix and it works fine for me (TYPO3 Version: 4.3). What about the fact to add a different page error for unauthorized pages. I made a test with the following code and it works for me. It supposes to add a new parameter [FE][pageUnauthorized_handling]

Index: typo3/sysext/cms/tslib/class.tslib_fe.php

function pageNotFoundAndExit($reason='', $header='') {
$header = $header ? $header : $this->TYPO3_CONF_VARS['FE']['pageNotFound_handling_statheader'];
if ($this->pageNotFound === 1 || $this->pageNotFound === 2) {
$code=($this->TYPO3_CONF_VARS['FE']['pageUnauthorized_handling']) ? $this->TYPO3_CONF_VARS['FE']['pageUnauthorized_handling'] : $this->TYPO3_CONF_VARS['FE']['pageNotFound_handling'];
}
else {
$code=$this->TYPO3_CONF_VARS['FE']['pageNotFound_handling'];
}
$this->pageNotFoundHandler($code, $header, $reason);
exit;
}

Actions #4

Updated by Ingo Renner over 12 years ago

  • Category deleted (Communication)
  • Assignee set to Ingo Renner
  • Target version deleted (0)
Actions #5

Updated by Gerrit Code Review over 12 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281

Actions #6

Updated by Gerrit Code Review over 12 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281

Actions #7

Updated by Ingo Renner over 12 years ago

  • Target version set to 6.0.0
Actions #8

Updated by Gerrit Code Review over 12 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281

Actions #9

Updated by Gerrit Code Review over 12 years ago

Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281

Actions #10

Updated by Gerrit Code Review about 11 years ago

Patch set 5 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/10281

Actions #11

Updated by Christian Kuhn almost 10 years ago

  • Status changed from Under Review to New
  • Is Regression set to No

The pending patch was abandoned after some discussion.

The solution should be different and needs a new approach. Some hints on how this could be solved are given in the abandoned patch for anyone who wants to pick this issue up again and re-push a new solution.

Actions #12

Updated by Mathias Schreiber about 9 years ago

  • Target version deleted (6.0.0)
Actions #13

Updated by Susanne Moog about 7 years ago

  • Category set to Site Handling, Site Sets & Routing
  • Assignee deleted (Ingo Renner)
Actions #14

Updated by Markus Klein about 7 years ago

This must be a 403 header. 401 must only be used together with http-authentication header, not custom authentication within PHP.

Actions #15

Updated by Gerrit Code Review about 7 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54495

Actions #16

Updated by Gerrit Code Review about 7 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54495

Actions #17

Updated by Benni Mack almost 7 years ago

  • Sprint Focus set to On Location Sprint
Actions #18

Updated by Gerrit Code Review almost 7 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54495

Actions #19

Updated by Markus Klein almost 7 years ago

  • Assignee set to Markus Klein
Actions #20

Updated by Gerrit Code Review almost 7 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814

Actions #21

Updated by Markus Klein almost 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #22

Updated by Gerrit Code Review almost 7 years ago

  • Status changed from Resolved to Under Review

Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814

Actions #23

Updated by Gerrit Code Review almost 7 years ago

Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814

Actions #24

Updated by Gerrit Code Review almost 7 years ago

Patch set 4 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814

Actions #25

Updated by Markus Klein almost 7 years ago

  • Status changed from Under Review to Resolved
Actions #26

Updated by Sascha Egerer about 6 years ago

  • Related to Bug #86346: Hidden pages sent 403 Header added
Actions #27

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF